chore: simplify inode handling kernel side

Molter73 · Molter73 · commit a861f3d34c17 · 2026-04-06T16:22:22.000+02:00
diff --git a/fact-ebpf/src/bpf/events.h b/fact-ebpf/src/bpf/events.h
@@ -16,16 +16,16 @@ struct event_args_t {
   struct event_t* event;
   struct metrics_by_hook_t* metrics;
   const char* filename;
-  inode_key_t* inode;
+  inode_key_t inode;
   inode_key_t parent_inode;
   bool use_bpf_d_path;
 };
 
 __always_inline static void __submit_event(struct event_args_t* args) {
   struct event_t* event = args->event;
   event->timestamp = bpf_ktime_get_boot_ns();
-  inode_copy_or_reset(&event->inode, args->inode);
-  inode_copy_or_reset(&event->parent_inode, &args->parent_inode);
+  inode_copy(&event->inode, &args->inode);
+  inode_copy(&event->parent_inode, &args->parent_inode);
   bpf_probe_read_str(event->filename, PATH_MAX, args->filename);
 
   struct helper_t* helper = get_helper();
@@ -118,7 +118,7 @@ __always_inline static void submit_rename_event(struct event_args_t* args,
 
   args->event->type = FILE_ACTIVITY_RENAME;
   bpf_probe_read_str(args->event->rename.old_filename, PATH_MAX, old_filename);
-  inode_copy_or_reset(&args->event->rename.old_inode, old_inode);
+  inode_copy(&args->event->rename.old_inode, old_inode);
 
   __submit_event(args);
 }
diff --git a/fact-ebpf/src/bpf/file.h b/fact-ebpf/src/bpf/file.h
@@ -27,16 +27,16 @@ __always_inline static bool path_is_monitored(struct bound_path_t* path) {
   return res;
 }
 
-__always_inline static inode_monitored_t is_monitored(inode_key_t inode, struct bound_path_t* path, const inode_key_t* parent, inode_key_t** submit) {
-  const inode_value_t* volatile inode_value = inode_get(&inode);
+__always_inline static inode_monitored_t is_monitored(inode_key_t* inode, struct bound_path_t* path, const inode_key_t* parent) {
+  const inode_value_t* volatile inode_value = inode_get(inode);
   const inode_value_t* volatile parent_value = inode_get(parent);
 
   inode_monitored_t status = inode_is_monitored(inode_value, parent_value);
   if (status != NOT_MONITORED) {
     return status;
   }
 
-  *submit = NULL;
+  inode_reset(inode);
   if (path_is_monitored(path)) {
     return MONITORED;
   }
diff --git a/fact-ebpf/src/bpf/inode.h b/fact-ebpf/src/bpf/inode.h
@@ -80,6 +80,11 @@ __always_inline static long inode_remove(struct inode_key_t* inode) {
   return bpf_map_delete_elem(&inode_map, inode);
 }
 
+__always_inline static void inode_reset(struct inode_key_t* inode) {
+  inode->inode = 0;
+  inode->dev = 0;
+}
+
 typedef enum inode_monitored_t {
   NOT_MONITORED = 0,
   MONITORED,
@@ -99,16 +104,11 @@ __always_inline static inode_monitored_t inode_is_monitored(const inode_value_t*
   return NOT_MONITORED;
 }
 
-__always_inline static void inode_copy_or_reset(inode_key_t* dst, const inode_key_t* src) {
+__always_inline static void inode_copy(inode_key_t* dst, const inode_key_t* src) {
   if (dst == NULL) {
     return;
   }
 
-  if (src != NULL) {
-    dst->inode = src->inode;
-    dst->dev = src->dev;
-  } else {
-    dst->inode = 0;
-    dst->dev = 0;
-  }
+  dst->inode = src->inode;
+  dst->dev = src->dev;
 }
diff --git a/fact-ebpf/src/bpf/main.c b/fact-ebpf/src/bpf/main.c
@@ -49,17 +49,16 @@ int BPF_PROG(trace_file_open, struct file* file) {
   }
   args.filename = path->path;
 
-  inode_key_t inode_key = inode_to_key(file->f_inode);
-  args.inode = &inode_key;
+  args.inode = inode_to_key(file->f_inode);
 
   struct dentry* parent_dentry = BPF_CORE_READ(file, f_path.dentry, d_parent);
   struct inode* parent_inode_ptr = parent_dentry ? BPF_CORE_READ(parent_dentry, d_inode) : NULL;
   args.parent_inode = inode_to_key(parent_inode_ptr);
 
-  inode_monitored_t status = is_monitored(inode_key, path, &args.parent_inode, &args.inode);
+  inode_monitored_t status = is_monitored(&args.inode, path, &args.parent_inode);
 
   if (status == PARENT_MONITORED && event_type == FILE_ACTIVITY_CREATION) {
-    inode_add(&inode_key);
+    inode_add(&args.inode);
   }
 
   if (status == NOT_MONITORED) {
@@ -96,10 +95,9 @@ int BPF_PROG(trace_path_unlink, struct path* dir, struct dentry* dentry) {
   }
   args.filename = path->path;
 
-  inode_key_t inode_key = inode_to_key(dentry->d_inode);
-  args.inode = &inode_key;
+  args.inode = inode_to_key(dentry->d_inode);
 
-  if (is_monitored(inode_key, path, NULL, &args.inode) == NOT_MONITORED) {
+  if (is_monitored(&args.inode, path, NULL) == NOT_MONITORED) {
     m->path_unlink.ignored++;
     return 0;
   }
@@ -129,10 +127,9 @@ int BPF_PROG(trace_path_chmod, struct path* path, umode_t mode) {
   }
   args.filename = bound_path->path;
 
-  inode_key_t inode_key = inode_to_key(path->dentry->d_inode);
-  args.inode = &inode_key;
+  args.inode = inode_to_key(path->dentry->d_inode);
 
-  if (is_monitored(inode_key, bound_path, NULL, &args.inode) == NOT_MONITORED) {
+  if (is_monitored(&args.inode, bound_path, NULL) == NOT_MONITORED) {
     args.metrics->ignored++;
     return 0;
   }
@@ -167,10 +164,9 @@ int BPF_PROG(trace_path_chown, struct path* path, unsigned long long uid, unsign
   }
   args.filename = bound_path->path;
 
-  inode_key_t inode_key = inode_to_key(path->dentry->d_inode);
-  args.inode = &inode_key;
+  args.inode = inode_to_key(path->dentry->d_inode);
 
-  if (is_monitored(inode_key, bound_path, NULL, &args.inode) == NOT_MONITORED) {
+  if (is_monitored(&args.inode, bound_path, NULL) == NOT_MONITORED) {
     args.metrics->ignored++;
     return 0;
   }
@@ -212,21 +208,19 @@ int BPF_PROG(trace_path_rename, struct path* old_dir,
     goto error;
   }
 
-  inode_key_t old_inode = inode_to_key(old_dentry->d_inode);
-  inode_key_t new_inode = inode_to_key(new_dentry->d_inode);
+  args.inode = inode_to_key(new_dentry->d_inode);
 
-  inode_key_t* old_inode_submit = &old_inode;
-  args.inode = &new_inode;
+  inode_key_t old_inode = inode_to_key(old_dentry->d_inode);
 
-  inode_monitored_t old_monitored = is_monitored(old_inode, old_path, NULL, &old_inode_submit);
-  inode_monitored_t new_monitored = is_monitored(new_inode, new_path, NULL, &args.inode);
+  inode_monitored_t old_monitored = is_monitored(&old_inode, old_path, NULL);
+  inode_monitored_t new_monitored = is_monitored(&args.inode, new_path, NULL);
 
   if (old_monitored == NOT_MONITORED && new_monitored == NOT_MONITORED) {
     args.metrics->ignored++;
     return 0;
   }
 
-  submit_rename_event(&args, old_path->path, old_inode_submit);
+  submit_rename_event(&args, old_path->path, &old_inode);
   return 0;
 
 error:

Original file line number	Diff line number	Diff line change
`@@ -27,16 +27,16 @@ __always_inline static bool path_is_monitored(struct bound_path_t* path) {`
`27`	`27`	`return res;`
`28`	`28`	`}`
`29`	`29`
`30`		`-__always_inline static inode_monitored_t is_monitored(inode_key_t inode, struct bound_path_t* path, const inode_key_t* parent, inode_key_t** submit) {`
`31`		`- const inode_value_t* volatile inode_value = inode_get(&inode);`
	`30`	`+__always_inline static inode_monitored_t is_monitored(inode_key_t* inode, struct bound_path_t* path, const inode_key_t* parent) {`
	`31`	`+ const inode_value_t* volatile inode_value = inode_get(inode);`
`32`	`32`	`const inode_value_t* volatile parent_value = inode_get(parent);`
`33`	`33`
`34`	`34`	`inode_monitored_t status = inode_is_monitored(inode_value, parent_value);`
`35`	`35`	`if (status != NOT_MONITORED) {`
`36`	`36`	`return status;`
`37`	`37`	`}`
`38`	`38`
`39`		`- *submit = NULL;`
	`39`	`+ inode_reset(inode);`
`40`	`40`	`if (path_is_monitored(path)) {`
`41`	`41`	`return MONITORED;`
`42`	`42`	`}`